As part of the ongoing development of content to combat threats, RSA develops content bundles. These are grouped sets of content (rules, parsers, feeds) that can be deployed as a group from RSA Live.

Deploying a Bundle

You can deploy all of the items in the bundles through Live.

Note: If you are in an environment where you cannot Deploy, you should create a resource package (select > Create) to download a ZIP archive that you can use. Do not use the button, as this does not work for bundles

The Hunting Pack is a set of content that derives indicators of compromise and anomalous events. For more details about the contents of the pack and the suggested investigation techniques refer the Hunting Guide, https://community.rsa.com/docs/DOC-62341. Deploying this bundle will download all of the content and content dependencies of the Hunting Pack including the associated feed, Lua parsers and reports.

Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: netname, direction, ioc, boc, eoc, analysis.service, analysis.session, analysis.file. In the Hunting Guide, see the section Hunting Pack > Meta Keys for more information. The traffic_flow Lua parser may be deployed to a Log Decoder, but this is not currently supported through Live. In the Traffic Flow Lua parser documentation, https://community.rsa.com/docs/DOC-44948, see the section Deploy to Log Decoders.

This pack contains a set of content specific to known identified threats such as known malware, crimeware, RAT campaigns etc. See the dependencies for a full list of bundled content. For more detailed documentation : https://community.rsa.com/docs/DOC-76524

This pack contains a set of starter content specific to log deployments that will help organizations view and understand user behaviors. See the dependencies for a full list of bundled content.

log

assurance, featured, identity, operations, threat

Packet Starter Pack

Packet Starter Pack

This pack contains a set of starter content specific to packet deployments that will help organizations view malware related traffic. See the dependencies for a full list of bundled content.

packet

assurance, featured, identity, operations, threat

UEBA Essentials

UEBA Pack

The purpose of UEBA Essentials and user-hunting is to detect or bring focus to suspicious user and entity behavior to find potential insider threats, lateral movement by external attackers, or general abuse/misuse of user accounts. Deploying this bundle will download all of the content and content dependencies of UEBA Essentials to the services appropriate for each content type.